import java.io.IOException; import java.io.UnsupportedEncodingException; import java.util.Enumeration; import java.util.HashMap; import java.util.Map; import java.util.StringTokenizer; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; public class SqlInjFilter implements Filter { private static Log log = LogFactory.getLog(SqlInjFilter.class); private String[] riskStrs = new String[] { "like", "and", "or", "select", "1=1" }; private String errorPageUrl = "******"; private Map<String, String> riskStrMap = new HashMap<String, String>(); private String charEncoding = "utf-8"; private int maxValueLength = -1; private int maxParaNum = -1; public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse res = (HttpServletResponse) response; String validateStr = reqValidate(req); if (validateStr != null) { String sourceIp = req.getRemoteAddr(); String requestURL = req.getRequestURL().toString(); log.error("Sql injection risk, the source ip is " + sourceIp + ", the request URL is '" + requestURL + "', parameter info: '" + validateStr + "'."); res.sendRedirect(errorPageUrl); } else { chain.doFilter(req, res); } } protected String reqValidate(HttpServletRequest req) throws UnsupportedEncodingException { req.setCharacterEncoding(charEncoding); Enumeration params = req.getParameterNames(); int paramCount = 0; while (params.hasMoreElements()) { paramCount ++; if(maxParaNum != -1 && paramCount > maxParaNum) { return "parameter is to much,over max Parameter Number " + maxParaNum; } String name = params.nextElement().toString(); String[] values = req.getParameterValues(name); for (String value : values) { if (maxValueLength != -1 && value.length() > maxValueLength) { return "the value of '" + name + "'is too big, the length is " + value.length(); } if (isSqlSnippet(value)) { return name + ":" + value; } } } return null; } protected boolean isSqlSnippet(String str) { if (str == null || str.trim().length() == 0) return false; str = str.trim().toLowerCase(); StringTokenizer strTokenizer = new StringTokenizer(str); while (strTokenizer.hasMoreTokens()) { if (riskStrMap.containsKey(strTokenizer.nextToken())) { return true; } } return false; } public void init(FilterConfig filterConfig) throws ServletException { //characterEncoding String characterEncoding = filterConfig.getInitParameter("characterEncoding"); if (characterEncoding != null && characterEncoding.trim() != "") { charEncoding = characterEncoding; } // risk string String riskPattern = filterConfig.getInitParameter("riskPattern"); if (riskPattern != null && riskPattern.trim() != "") { riskStrs = riskPattern.trim().split("\\|"); } for (String riskStr : riskStrs) { riskStrMap.put(riskStr, ""); } // error page String errorUrl = filterConfig.getInitParameter("errorPageUrl"); if (errorUrl != null && errorUrl.trim() != "") { errorPageUrl = errorUrl.trim(); } // maxValueLength String valueLength = filterConfig.getInitParameter("maxValueLength"); if (valueLength != null && valueLength.trim() != "") { maxValueLength = new Integer(valueLength).intValue(); } // max paraNum String paraNum = filterConfig.getInitParameter("maxParaNum"); if (paraNum != null && paraNum.trim() != "") { maxParaNum = new Integer(paraNum).intValue(); } } public void destroy() { } }
过滤器防止sql注入
猜你喜欢
转载自superivan.iteye.com/blog/1703739
今日推荐
周排行